Passkey Account Create policy

Account Create setup

• Ensure that the Prerequisites steps are completed.
• Enable SCIM Verify Access User.
  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Manage, click SCIM Configuration.
  4. Click Verify Access User.
  5. Check Enable Verify Access Integration.
  6. Select the SCIM server connection from the Verify Access User Registry dropdown.
  7. Check Update Native Users.
• Configure the reCAPTCHA Verification mechanism. See Configuring the reCAPTCHA Verification authentication mechanism.
• Configure the email OTP delivery mechanism to be used in the Account Create authentication policy.
  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click Email One-time Password.
  6. Click Edit.
  7. Select the Properties tab and configure the connection to the SMTP server.
• Configure a FIDO2 Relying Party.
  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Manage, click FIDO2 Configuration.
  4. Enter a Display Name and Relying Party ID.
  5. Click Next.
  6. Click Save.
  7. Click AAC.
  8. Under Policy, click Authentication.
  9. Click Mechanisms.
  10. Click FIDO2 WebAuthn Registration.
  11. Click Edit.
  12. Select the Properties tab and configure the Relying Party Config ID.

HTML templates

• authsvc/usc/passkey/collect_email.html
• authsvc/usc/passkey/collect_password.html
• authsvc/usc/passkey/collect_profile.html
• authsvc/usc/passkey/email_otp.html
• authsvc/usc/passkey/passkey_reg_decision.html
• authsvc/usc/passkey/success.html
• static/css/usc/passkey.css
• static/scripts/usc/passkey/collect_email.js
• static/scripts/usc/passkey/collect_password.js
• static/scripts/usc/passkey/collect_profile.js
• static/scripts/usc/passkey/email_otp.js
• static/scripts/usc/passkey/passkey_reg_decision.js
• static/scripts/usc/passkey/success.js

JavaScript Mapping Rules

• USC_Common
• USC_Passkey_CollectEmail
• USC_Passkey_CollectPassword
• USC_Passkey_CollectProfile
• USC_Passkey_Reg_Decision
• USC_Passkey_Success

Creating a new account workflow

The Passkey Account Create authentication policy enables users to create new accounts with the following workflow.

1. The user accesses the Passkey Account Create policy.
2. On this screen, the user is prompted to enter an email address and CAPTCHA.
   • The template page that is presented is authsvc/usc/passkey/collect_email.html.
   • The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectEmail.
3. On the next screen, the user is prompted to enter an OTP.
   • The OTP is delivered by an email.
   • The template page that is presented is authsvc/usc/passkey/email_otp.html.
4. On the next screen, the user is presented with the enrollment form.
   • The template page that is presented is authsvc/usc/passkey/collect_profile.html.
   • The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectProfile.
5. On the next screen, if the browser has user-verifying platform authenticator (UVPA) capability, the user is prompted to enroll a passkey.
   • The template page that is presented is authsvc/usc/passkey/passkey_reg_decision.html.
   • The JavaScript that prompts the user to enroll is USC_Passkey_Reg_Decision.
6. If the user chooses to enroll a passkey, the user is directed to the FIDO2 WebAuthn Registration mechanism.
7. If the user chooses to skip passkey enrolment, and the user did not enter a password on the collect password page, the user is prompted to enter a password.
   • The template page that is presented is authsvc/usc/passkey/collect_password.html
   • The JavaScript that pre-populates the form and validates responses is USC_Passkey_CollectPassword
8. On the next screen, the account success page is presented.
   • The template page that is presented is authsvc/usc/passkey/success.html
   • The JavaScript that pre-populates the template and ends the policy is USC_Passkey_Success